PLUS: Judge spanks NSO; Mozilla requires data use disclosures; TARmageddon meets Rust; And more!
Infosec In Brief Former basketball star Shaquille O’Neal is 7’1″ (215 cm), and therefore uses car customization companies to modify vehicles to fit his frame. But it appears cybercriminals have targeted Shaq’s preferred motor-modder.
According to a report from last week, Effortless Motors – which was modifying a Range Rover for O’Neal before shipping it from Atlanta to Louisiana – lost track of the vehicle after it was picked up for transport. The company later confirmed to TMZ that a cyberattack on the org that was supposed to transport the vehicle led to its vanishing in transit.
“This was a highly coordinated criminal act targeting the transport company’s network,” Effortless told TMZ. “We are working closely with law enforcement and federal investigators to recover the vehicle and hold those responsible accountable.”
If they aren’t die-hard collectors, the thieves might have a tough time fencing such a highly-customized vehicle on the black market, but hey – that wasn’t exactly the most brazen recent theft of a hard-to-pawn object.
A judge has permanently banned spyware maker NSO Group from targeting Meta’s WhatsApp messaging platform.
Israel-based NSO Group has been embroiled in a legal fight with Meta since 2019, when the social media giant discovered and patched a flaw in WhatsApp. Meta alleged the NSO used the flaw to deliver its Pegasus spyware to journalists, politicians, and other WhatsApp users. The Social Network ™ sued and a California jury awarded the company $167 million in damages in May.
But the case wasn’t over, as Meta used its victory to push for a permanent injunction against NSO Group that a judge granted last week.
Northern District of California District Court Judge Phyllis Hamilton’s judgement states that NSO’s tactics were sneaky, undetectable, and prolific, and sufficient to justify a ban on NSO Group ever interacting with WhatsApp again.
“Defendants reverse engineered plaintiffs’ code to evade detection and to defeat encryption, and infected the target users’ devices with spyware that no one wanted or expected,” Hamilton wrote.
Hamilton said that she agreed with Meta that the evidence before the court suggested NSO still has the expertise and financial incentive to keep trying to exploit WhatsApp and hide its work from the Facebook parent company.
“Having concluded that defendants’ conduct causes irreparable harm, and there being no dispute that the conduct is ongoing, the court concludes … in favor of granting an injunction,” Hamilton said. The judge barred a broader injunction request from Meta barring NSO from targeting its other products.
Additionally, Meta won’t be getting anywhere near the payout the jury decided it should receive, with Hamilton reducing punitive damages in the case to just a little over $4 million. Whether that’ll be enough to stop a foreign spyware maker from targeting an American software vendor is anyone’s guess.
A remote code execution discovered in the async-tar Rust library has security researchers warning those using some of the popular library’s forks to seek out actively developed versions instead of abandonware.
The aptly-named TARmageddon (CVE-2025-62518, CVSS 8.1) is a boundary parsing vulnerability that relies on inconsistent PAX/ustar header handling to let an attacker hide additional archive entries in a TAR file, explain researchers at Edera, the company that discovered the vulnerability. If the attack is successfully executed, an attacker can execute remote code, overwrite files, conduct supply chain attacks, and generally make a mess of affected systems.
To make matters worse, the most popular fork of async-tar, says Edera, is tokio-tar, and that’s no longer being maintained.
“If you depend on tokio-tar, consider migrating to an actively maintained fork like astral-tokio-tar,” Edera noted. The company said it’s also archiving its own async-tar fork, krata-toki-tar, in order to “reduce the ecosystem confusion” and force Rust devs to start using a single open-source product.
There’s no workaround to fix the issue, so best update as soon as practically possible.
The American organization formerly known as the Boy Scouts already trains kids to survive in the wilderness; now members can start training to survive in the inhospitable wilderness of the modern internet.
Scouting America, which is now open to boys and girls, introduced merit badges for AI and cybersecurity skills last week. Rather than training kids how to hack and prompt inject for a future career in the tech sector, the badges will focus more on how to stay cyber-safe in a world increasingly hostile to developing young minds.
Scouts who want to pursue the AI merit badge will learn about various types of AI systems and the ethics and impact of AI usage, while cybersecurity badge seekers will learn basic things like how to spot threats, good digital hygiene, and online safety. Both badges will also introduce careers in both fields, but Scouting America noted that the badges are more about “how to use technology responsibly” than giving kids advanced hands-on learning.
Devs who write or maintain browser extensions for Firefox, take note: As of November you’ll need to start specifying whether your code collects or transmits the personal data of its users, lest it be removed from Mozilla’s extension download site.
Firefox addons project manager Alan Byrne revealed the change, scheduled to go into effect on November 3, in a blog post last week. Once the change goes live, users will see a full list of data collection information when installing an extension in the same window where they grant it permissions.
Developers of Firefox extensions will need to add details about what data is collected and/or transmitted in their software’s manifest file as explained here.
Note that this only applies to new extensions – updates to existing add-ons won’t have to reveal their data collection and sharing practices, at least for now.
“In the first half of 2026, Mozilla will require all extensions to adopt this framework,” Byrne noted, adding that developers should keep an eye on the Mozilla add-ons community blog for “new features to ease this transition for both extension developers and users” that will be explained in the coming months. ®
